X-Cart forums

[carpeperdiem]

Quote:

Originally Posted by random

Although I am not an author of the most introduced security improvements, I am here to help our clients with the technical issues. Previously actual developers rarely provided post-release support on forum, but we decided that this will be a good practice.
P.S. We are still working on the manual update so it may be a bit inconsistent, please be patient.

And thank you for being here. SInce you were the first (and only) one discussing the security "improvements", the appearance that this was your baby is lost in the translation. I didn't mean to single YOU out. My apologies.

It IS a very good practice for the developers to hang out here... and it is appreciated. But maybe there should be some dialog BEFORE rolling the final release? As they say in carpentry, "measure twice, cut once" ?

[aim]

Now the cleanup.php feature is protected by
the installation_auth_code

The correct URL is like
http://xcart2-54.crtdev.local/~aim/xcart_4_5_x/cleanup.php?auth_code=BG6GJH39

Code:

[16:27][aim@xcart:p4][~/www/xcart_4_5_x]$ grep BG6GJH39 config.php
$installation_auth_code = 'BG6GJH39';

[rolfodolfo]

Thank you Aim, that was helpfull!

Quote:

Originally Posted by aim

Now the cleanup.php feature is protected by
the installation_auth_code

The correct URL is like
http://xcart2-54.crtdev.local/~aim/xcart_4_5_x/cleanup.php?auth_code=BG6GJH39

Code:

[16:27][aim@xcart:p4][~/www/xcart_4_5_x]$ grep BG6GJH39 config.php
$installation_auth_code = 'BG6GJH39';

[aim]

Quote:

Originally Posted by carpeperdiem

We need a "master list" of plugins that worked fine in 4.5.4 but are "broken" by the "improvements" in 4.5.5

These smarty plugins work correctly with 4.5.5

1 All from http://www.smarty.net/docsv2/en/ except features disabled by
http://www.smarty.net/docsv2/en/variable.security.tpl

2 All default and custom smarty plugins in the
include/templater/plugins/ directory

3 All custom smarty plugins registered via $smarty->register_*('some_plugin');

4 (Not recommended solution due to security reasons.)
'MODIFIER_FUNCS' => array(
'count',
'doubleval',
'trim',
'stripslashes',
'mt_rand',
'urlencode',
'is_array'

'IF_FUNCS' => array(
'array', 'list',
'isset', 'empty',
'count', 'sizeof',
'in_array', 'is_array',
'true', 'false', 'null'

5 print_r and func_print_r are enabled in DEVELOPMENT_MODE (Not recommended solution due to security reasons.)

6 All exceptions like (Not recommended solution due to security reasons.)

Code:

[17:53][aim@xcart:p4][~/www/xcart_4_5_x]$ grep security_settings modules 
modules/XMonitoring/config.php:array_push($smarty->security_settings['MODIFIER_FUNCS'], 'substr');

The recommended solutions are 1 2 and 3

[aim]

Can anyone provide us with a feedback related to the reuploaded upgrade packs uploaded on 02-15-2013, 06:38 PM?

How can I improve the packs ?
How can I help you with the upgrade process?

[carpeperdiem]

Quote:

Originally Posted by aim

These smarty plugins work correctly with 4.5.5

1 All from http://www.smarty.net/docsv2/en/ except features disabled by
http://www.smarty.net/docsv2/en/variable.security.tpl

2 All default and custom smarty plugins in the
include/templater/plugins/ directory

3 All custom smarty plugins registered via $smarty->register_*('some_plugin');

4 (Not recommended solution due to security reasons.)
'MODIFIER_FUNCS' => array(
'count',
'doubleval',
'trim',
'stripslashes',
'mt_rand',
'urlencode',
'is_array'

'IF_FUNCS' => array(
'array', 'list',
'isset', 'empty',
'count', 'sizeof',
'in_array', 'is_array',
'true', 'false', 'null'

5 print_r and func_print_r are enabled in DEVELOPMENT_MODE (Not recommended solution due to security reasons.)

6 All exceptions like (Not recommended solution due to security reasons.)

Code:

[17:53][aim@xcart:p4][~/www/xcart_4_5_x]$ grep security_settings modules 
modules/XMonitoring/config.php:array_push($smarty->security_settings['MODIFIER_FUNCS'], 'substr');

The recommended solutions are 1 2 and 3

Roll Call from our leading mod developers, please?

[wjbrewer]

Quote:

Originally Posted by carpeperdiem

Roll Call from our leading mod developers, please?

There was one alteredCart module that conflicted with the new security settings. The One Page Checkout (Checkout One) used stripslashes on the product titles in the cart display. This was fixed earlier this week. Licensed users upgrading to 4.5.5 can download the free update in their Account/Downloads -> My Licenses section at alteredcart.com.

[Danimal]

Going from XC 4.5.4 (fresh install) to 4.5.5 as we speak.

There are about 35 miles of lines that look like this. How is anyone supposed to scroll through here and find any problems?

This needs to be better organized so that failures are at the bottom of the page. Make it very apparent what is not working (since that list should be shorter, maybe 1/2 a mile long).

Quote:

File admin/popup_create_thumbnail.php successfully patched
File admin/popup_files.php successfully patched
File admin/popup_info.php successfully patched
File admin/popup_product.php successfully patched
File admin/popup_users.php successfully patched

Then there is this in the middle of the page:

Quote:

SQL PATCH: ``patch.sql'' applied successfully
The database was successfully patched !
Converting the xcart_customers structure ...
Could not decrypt the password for user "xxx@xxxxx.com,xxx@xxxxx.com"
Converting the xcart_config structure ...
Converting the xcart_ppa structure ...
AFTER-PATCH was applied successfully.
Updating DB version info.

Glad that there are other users that it will figure out and hopefully I will be able to log in w/o having to blast into the DB to change the password to log in and change it again.


Then about 55 miles of this stuff:

Quote:

Patching file /home/lightmy/www/www/404.php ...
Hunk #1 succeeded at 3.
Hunk #2 succeeded at 34.
done
Patching file /home/lightmy/www/www/README ...
Hunk #1 succeeded at 26.
Hunk #2 succeeded at 137.
done
Patching file /home/lightmy/www/www/VERSION.CLOUD_SEARCH ...
Hunk #1 succeeded at 1.
done
Patching file /home/lightmy/www/www/adaptive.php ...
Hunk #1 succeeded at 3.
Hunk #2 succeeded at 34.

Whew! I am finally at the end of the list. But my mouse needed 2 tire changes in the process and my finger blew a gasket 3/4 the way through the trip.

Might I suggest that in the future all successfully patched objects be documented ONLY in a log file and the only on screen stuff be anything that did NOT patch? And if all patched just end it with Patch applied successfully and the finish button.

I never knew that my browser could go 90+ miles long. I think I have set a new record.

*takes deep breath and hits the finish button*

[Danimal]

Quote:

Access denied !
Access to the resource you are requesting is allowed only for registered IP addresses. The IP address you are currently using is not registered with the system. A request for registering your IP address has been sent to your email.

Error ID: 82

This is interesting. Luckily I had something else bark at me a few days ago about our IP changing. I tell you, this might be a nice feature but the wording on this had me bewildered for a few minutes. The email that followed was equally as confusing to read.

Quote:

You have received this notification from Store Name because you are a registered user or you or some other registered user requested some information for you from our store. At 02/20/2013 15:05:55 EST a user with the login name 'xxx@xxxxx.com' was detected as logged in to your store's Admin area using the IP address xx.xx.xxx.xxx. The IP address used by this user differs from the IP addresses normally used by the administrators of your store. If you believe this user to be one of the store administrators who entered the store through a different ISP using a different IP address and you wish to allow usage of the store from this IP address at all times, click on this link:

[url removed for security]
--------------------------------------------------------------------------------
Thank you for using our shopping system
Store Name
URL: www.storeurl.com

Just posting for anyone that sees this. It is not a big thing. Just click the emailed link and confirm.

edited to add: I got this when trying to update my security settings per the upgrade instructions.

[jillsybte]

I see a few users are having trouble upgrading to 4.5.5. However, has anyone had luck with a fresh install? I wish to move my store to the latest version, but I plan to do a fresh install and start from scratch. I have been waiting to see a more stable version of the 4.5.x branch. Could 4.5.5 be the one?